yep its evil.. Like mama says its the devil
On 07/17/2018 08:38 AM, Josh Luthman wrote:
Definitely need 6.42+ there are two major exploits you're open to.
Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Tue, Jul 17, 2018 at 6:44 AM, Nick W <nickdwh...@gmail.com
<mailto:nickdwh...@gmail.com>> wrote:
Based on those versions you listed, it sounds like the Winbox
vulnerability described
here:https://forum.mikrotik.com/viewtopic.php?t=133533
<https://forum.mikrotik.com/viewtopic.php?t=133533>
Password complexity isn't really the issue since they could
connect and download the unencrypted user database file. Firewall
off Winbox and/or upgrade. Run 6.40.8+ for bugfix or 6.42.1+ for
current.
On Mon, Jul 16, 2018 at 11:01 PM Nate Burke <n...@blastcomm.com
<mailto:n...@blastcomm.com>> wrote:
I just happened to be looking through the Logs of a couple
Mikrotiks
that I didn't have Winbox Firewalled off From the outside
world. Someone
from the outside world logged into winbox today. I had what I
'thought'
were strong passwords on them. The only active service on the
router is
the Winbox Service.
The only changes that were made was they enabled the 'socks'
server, and
added input firewall rule for the socks port. They were in and
out of
the router in a matter of seconds, so it looks like it was
scripted
somehow.
I'm going through now and changing passwords and verifying all
routers
are locked from the outside. On the routers that I've found
this on,
all the logins were sourced from this same IP Address. So far
the
affected routers I've found were running versions 6.39-6.41.3
Might be a good time to check your logs and access controls.
jul/15 02:29:14 system,info,account user admin logged in from
194.40.240.254 via winbox
jul/15 02:29:17 system,info,account user admin logged in from
194.40.240.254 via telnet
jul/15 02:29:18 system,info socks config changed by admin
jul/15 02:29:18 system,info filter rule added by admin
jul/15 02:29:19 system,info,account user admin logged out from
194.40.240.254 via winbox
jul/15 02:29:19 system,info,account user admin logged out from
194.40.240.254 via telnet
--
AF mailing list
AF@af.afmug.com <mailto:AF@af.afmug.com>
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
<http://af.afmug.com/mailman/listinfo/af_af.afmug.com>
--
AF mailing list
AF@af.afmug.com <mailto:AF@af.afmug.com>
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
<http://af.afmug.com/mailman/listinfo/af_af.afmug.com>
--
--
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
